Alert essentials:

A threat actor can execute arbitrary code in FortiManager using an API vulnerability currently exploited in the wild.

Version upgrades are available for FortiManager 7.2.8 and 7.4.5. More fixes are expected to be released in the coming days.

 

Email Team


Detailed threat description:

A critical function in Fortinet’s FortiManager “fgfmd” daemon is missing authentication.

If an unauthenticated bad actor obtains a certificate from any Fortinet device owned or compromised, the missing authentication can be used to execute arbitrary code remotely.

Attacks are reported in the wild, and this flaw, with a 9.8 CVSS score, has already been added to CISA’s Known Exploited Vulnerabilities list. Fortunately, there are no current indications that malware or backdoors are being installed via the method. However, exfiltration of files containing configurations and credentials has been observed.

Customers known to have vulnerable FortiManager versions privately received mitigation instructions from Fortinet about ten (10) days ago. Since then, the bypass has been fixed in two available version upgrades. Additional version upgrades with fixes are expected to be released soon. Until then, perform the following mitigations on vulnerable devices.

Mitigations:

  • Utilize the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering to the FortiManager.
  • Create a custom certificate when creating the SSL tunnel and authenticating FortiGate devices with FortiManager.
  • Create an allowed list of IP addresses for FortiGate devices that are allowed to connect

*Instructions on performing mitigations can be found in Fortinet’s advisory.

UPDATE: Workarounds

Upgrade to a fixed version or use one of the following workarounds, depending on the version you’re running:

1) For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:

config system global
(global)# set fgfm-deny-unknown enable
(global)# end

Note: This is the only workaround recommended for use in FortiManager Cloud.

Warning: With this setting enabled, be aware that if a FortiGate’s SN is not in the device list, FortiManager will prevent it from connecting to register upon deployment, even when a model device with PSK matches.

If FAZ features are enabled on FMG, block the addition of unauthorized devices via Syslog:

conf system global
set detect-unregistered-log-device disable
end

If FortiGate Updates or Web Filtering are enabled, block the addition of unauthorized devices via FDS:

conf fmupdate fds-setting
set unreg-dev-option ignore
end

2) Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.

Example:
config system local-in-policy
edit 1
set action accept
set dport 541
set src
next
edit 2
set dport 541
next
end

3) For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above, it is also possible to use a custom certificate which will mitigate the issue:

config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable
end

And install that certificate on FortiGates. Only this CA will be valid; this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.

NB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.


Impacts on healthcare organizations:

Whenever healthcare systems are attacked, care delivery is delayed, inevitably putting patient safety at risk.


Affected products / versions:

FortiManager versions impacted are:


*FortiManager Cloud 7.6 is not affected

UPDATE: Also impacted are older Analyzer models with specific features enabled on FortiManager or FortiAnalyzer

Models: 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E

With the following feature set:
Config system global
Set fmg-status enable
end

At least one interface with fgfm service has been reported to be impacted by this vulnerability.

CVEs
CVE-2024-47575

IOCs

Log entries
type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded”

type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)”

IP addresses
45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2

UPDATE:
80.66.196.199
104.238.141.143
158.247.199.37
195.85.114.78
172.232.167.68

Serial Number
Rogue devices are using the serial number FMG-VMTM23017412
UPDATE: And FMG-VMTM19008093

Creation of Files
/tmp/.tm
/var/tmp/.tm

*Note that file IoCs may not appear in all cases.

UPDATE: The manufacturer-supplied recovery methods for compromised devices are available at psirt link below.


Recommendations

Engineering recommendations:

  • Upgrade vulnerable versions as soon as a fix is available
  • Perform mitigations for protection on vulnerable versions that do not have a fix currently

Leadership/ Program recommendations:

  • Look for private notifications from Fortinet regarding the use of vulnerable Fortinet solutions
  • If your organization has a vulnerable FortiManager and a notice was not received, reach out to your Fortinet contact to be included in future notices

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: